De : Ansgar 🙀 <ans...@43-1.org> À : Pierre-Elliott Bécue <p...@debian.org>; Luca Boccassi <bl...@debian.org> Cc : debian-devel@lists.debian.org Date : 1 avr. 2024 12:47:52 Objet : Re: xz backdoor
> > Hi, > > On Sun, 2024-03-31 at 14:34 +0200, Pierre-Elliott Bécue wrote: >> The PGP submodule of a Yubikey can host 3 keys, one signing, one >> authent, and one encrypt. ISTR accessing the signing key is always >> prompting for the PIN. Same for the encryption key. (I think both can >> be configured otherwise) > > I think presence confirmation is more useful, that is, interacting > physically with the device for each signature. The Yubikey can do that > also for OpenPGP: > > ``` > $ ykman openpgp keys set-touch --help > [...] > Touch policies: > > Off (default) no touch required > On touch required > Fixed touch required, can't be disabled without deleting the > private key > Cached touch required, cached for 15s after use > Cached-Fixed touch required, cached for 15s after use, can't be disabled > without deleting the private key > ``` > > (The PIN can still be cached.) > > For OpenSSH it might also be more convenient to use Webauthn, that is, > the keys generated using `ssh-keygen -t ed25519-sk` or `-t ecdsa-sk`. > > Ansgar >> Yes, I did not mention the touch policy because right now I fail to have it enforced by the Yubi after having set it. -- Pierre-Elliott Bécue
